Clock strikes 12 for RSA
- By John x_Zyskowski
- Sep 25, 2000
Security players have mixed views about whether this month's expiration
of a key security patent will lower the prices that agencies pay for products
that use encryption and digital signature technology. But they do agree
that buyers should soon have more options from which to choose.
The 17-year patent for the RSA public-key encryption algorithm was
set to expire Sept. 20. However, the holder of the patent, RSA Security
Inc., sought to steal the spotlight from competitors celebrating the expiration
by releasing the patent into the public domain two weeks earlier than scheduled.
Still, RSA officials downplayed the importance of the event.
"I don't believe that there's a lot of significance to this," said
Lynn McNulty, director of government affairs for RSA Security. "We've licensed
the technology to more than 800 companies over the years. Most of the companies
that are serious about this technology use our toolkit already."
"Everyone has known the date has been coming closer; it's more symbolic
than important," said John Pescatore, research director for Internet security
for technology research firm Gartner Group Inc. "It is the end of an era,
Carl Boecher, president and chief executive officer of smart card vendor
Datakey Inc., an RSA licensee, thinks the cost impact of the patent expiration
"is not that significant."
Datakey uses the RSA algorithm in its products two ways. First, the
company bought an RSA patent license, which enables it to implement the
algorithm in its smart cards. It paid RSA Security an initial fee for the
license and a royalty for every card it sold.
Now that the patent has expired, Datakey doesn't have to pay RSA Security
the royalty on the license. "We pay about 25 cents per card for it, so the
savings as far as the system is concerned are insignificant," Boecher said.
Datakey also licenses RSA's BSAFE programming toolkit, which it used
to help build a desktop software application that uses the RSA algorithm
and works in conjunction with the smart cards. That agreement will not be
immediately affected by the patent's expiration.
If the competition has any effect on prices, he believes it will be
negligible. "The cost of BSAFE [in our desktop application] is around a
dollar," he said. "If it gets cut in half or by a quarter, it's not really
that different than where things are now."
But Boecher does expect that the patent's expiration will encourage
other vendors to develop the equivalent of RSA's BSAFE toolkit.
Indeed, on Sept. 11 security vendor Baltimore Technologies Inc. launched
its KeyTools suite of software that other developers can use to integrate
security features into their applications. Previously, Baltimore Technologies
offered only a limited set of its products for sale in the United States
because of RSA's licensing conditions, but it did sell the entire tool-
kit elsewhere in the world, where the RSA patent did not apply.
With the new KeyTools products, Baltimore Technologies will sell a uniform
set of products that use the RSA algorithm in the United States and abroad.
For their part, RSA Security officials believe the patent expiration
will not adversely affect their company's prospects.
"It's not so much the [algorithm], but it's how it gets implemented,"
said Art Coviello, chief executive officer of RSA Security. "We're hoping
this will spur people to use the RSA algorithm, and we think we have the
best implementation of this algorithm. We've been developing with this technology
now for 17 years. This algorithm represents one-tenth of 1 percent of the
code in one of our products."
Outside of RSA Security, other vendors expect significant changes to
follow the patent's expiration. Raosoft Inc., a developer of electronic
forms software used by the Marine Corps and the Air Force, built support
for the RSA algorithm into its products but left it up to its customers
to obtain the license to use the algorithm directly from RSA.
"We built it with the expectation that the price would be low enough
that customers could afford it," said Potluri Rao, president of Raosoft.
"But after our customers saw the price tag, they shied away from it."
Rao thinks that many of his customers will consider using the RSA algorithm
now that the patent has expired. Many of them, however, developed work-arounds
for the security issue, such as printing paper versions of completed surveys
or forms and then signing them manually. Those customers will have to rethink
and probably redesign their forms applications to use electronic signatures
based on the RSA algorithm.
Rao also believes that a crop of new RSA-based tools and applications will
emerge that come in limited versions for little or no charge and as more
sophisticated products that will carry a higher price.
The RSA patent issue would have been moot about two years ago for the
government because before then federal standards for security technology
did not allow agencies to use the RSA algorithm.
Since 1994, under Federal Information Processing Standard (FIPS) 186,
agencies were supposed to use only the Digital Signature Standard, which
specified the government's own Digital Signature Algorithm as the single
technique for the generation and verification of digital signatures.
But in December 1998 the National Institute of Standards and Technology
approved FIPS 186-1, which allowed agencies to use the RSA algorithm without
obtaining a waiver. Six months later, FIPS 186-2 was approved, allowing
the use of the Elliptic Curve Digital Signature Algorithm as well.
—George A. Chidi Jr. of the IDG News Service contributed to this story.